Hi,
as discussed in private mail, here is the NMU.
Kind regards
T.
diff -u moin-1.5.8/debian/changelog moin-1.5.8/debian/changelog
--- moin-1.5.8/debian/changelog
+++ moin-1.5.8/debian/changelog
@@ -1,3 +1,15 @@
+moin (1.5.8-5.1) unstable; urgency=high
+
+ * NMU with maintainer consent, urgency for security updates
+ * update upstream patches to moin-1.5 branch revision 856 to fix bugs
+ + cross-site scripting vulnerabilities using AttachFile,
+ CVE-2008-0781
+ + directory traversal in MOIN_ID cookie vulnerability,
+ CVE-2008-0782 (Closes: #462984)
+ + XSS problem in login, CVE-2008-780
+
+ -- Thomas Viehmann <[EMAIL PROTECTED]> Tue, 19 Feb 2008 22:38:10 +0100
+
moin (1.5.8-5) unstable; urgency=high
* Acknowledge NMU.
only in patch2:
unchanged:
--- moin-1.5.8.orig/debian/patches/00855_userid_cookie_directory_traversal.patch
+++ moin-1.5.8/debian/patches/00855_userid_cookie_directory_traversal.patch
@@ -0,0 +1,76 @@
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1200868068 -3600
+# Node ID e69a16b6e63020ac615e74b3184d6e89597352e0
+# Parent 2f952fa361c7bc6ed127ec0618038272385186cd
+Security fix: only accept valid user IDs from the cookie
+
+diff -r 2f952fa361c7 -r e69a16b6e630 MoinMoin/user.py
+--- a/MoinMoin/user.py Sun Jan 20 17:36:42 2008 +0100
++++ b/MoinMoin/user.py Sun Jan 20 23:27:48 2008 +0100
+@@ -6,7 +6,7 @@
+ @license: GNU GPL, see COPYING for details.
+ """
+
+-import os, time, sha, codecs
++import os, time, sha, codecs, re
+
+ try:
+ import cPickle as pickle
+@@ -19,6 +19,7 @@ from MoinMoin import config, caching, wi
+ from MoinMoin import config, caching, wikiutil
+ from MoinMoin.util import filesys, timefuncs
+
++USERID_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
+
+ def getUserList(request):
+ """ Get a list of all (numerical) user IDs.
+@@ -27,10 +28,9 @@ def getUserList(request):
+ @rtype: list
+ @return: all user IDs
+ """
+- import re, dircache
+- user_re = re.compile(r'^\d+\.\d+(\.\d+)?$')
++ import dircache
+ files = dircache.listdir(request.cfg.user_dir)
+- userlist = [f for f in files if user_re.match(f)]
++ userlist = [f for f in files if USERID_re.match(f)]
+ return userlist
+
+
+@@ -210,7 +210,7 @@ class User:
+ self._cfg = request.cfg
+ self.valid = 0
+ self.trusted = 0
+- self.id = id
++ self.id = self.id_sanitycheck(id)
+ self.auth_username = auth_username
+ self.auth_method = kw.get('auth_method', 'internal')
+ self.auth_attribs = kw.get('auth_attribs', ())
+@@ -298,6 +298,15 @@ class User:
+ # use it reliably in edit locking
+ from random import randint
+ return "%s.%d" % (str(time.time()), randint(0,65535))
++
++ def id_sanitycheck(self, id):
++ """ only return valid user IDs, avoid someone faking his cookie to
++ contain '../../../somefile', breaking out of the data/user/
directory!
++ """
++ if id and USERID_re.match(id):
++ return id
++ else:
++ return None
+
+ def create_or_update(self, changed=False):
+ """ Create or update a user profile
+diff -r 2f952fa361c7 -r e69a16b6e630 docs/CHANGES
+--- a/docs/CHANGES Sun Jan 20 17:36:42 2008 +0100
++++ b/docs/CHANGES Sun Jan 20 23:27:48 2008 +0100
+@@ -44,6 +44,7 @@ Version 1.5.current:
+ * Fixed Despam action (same editor grouping was broken), now looking for
+ spam edits in the last 30 days.
+ * Fixed XSS issue in login action.
++ * Security fix: only accept valid user IDs from the cookie.
+
+ Version 1.5.8:
+ New features:
only in patch2:
unchanged:
--- moin-1.5.8.orig/debian/patches/00854_login_XSS.patch
+++ moin-1.5.8/debian/patches/00854_login_XSS.patch
@@ -0,0 +1,36 @@
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1200847002 -3600
+# Node ID 2f952fa361c7bc6ed127ec0618038272385186cd
+# Parent dbe95b27954adcb135e392ff1f9c883d0cfb7dc6
+XSS fix for login action, thanks to Fernando Quintero for reporting this
+
+diff -r dbe95b27954a -r 2f952fa361c7 MoinMoin/action/login.py
+--- a/MoinMoin/action/login.py Fri Jan 18 21:40:23 2008 +0100
++++ b/MoinMoin/action/login.py Sun Jan 20 17:36:42 2008 +0100
+@@ -40,12 +40,12 @@ class LoginHandler:
+ if not user.isValidName(request, name):
+ error = _("""Invalid user name {{{'%s'}}}.
+ Name may contain any Unicode alpha numeric character, with optional one
+-space between words. Group page name is not allowed.""") % name
++space between words. Group page name is not allowed.""") %
wikiutil.escape(name)
+
+ # Check that user exists
+ elif not user.getUserId(request, name):
+ error = _('Unknown user name: {{{"%s"}}}. Please enter'
+- ' user name and password.') % name
++ ' user name and password.') %
wikiutil.escape(name)
+
+ # Require password
+ else:
+diff -r dbe95b27954a -r 2f952fa361c7 docs/CHANGES
+--- a/docs/CHANGES Fri Jan 18 21:40:23 2008 +0100
++++ b/docs/CHANGES Sun Jan 20 17:36:42 2008 +0100
+@@ -43,6 +43,7 @@ Version 1.5.current:
+ * added missing data/plugin/converter package
+ * Fixed Despam action (same editor grouping was broken), now looking for
+ spam edits in the last 30 days.
++ * Fixed XSS issue in login action.
+
+ Version 1.5.8:
+ New features:
only in patch2:
unchanged:
--- moin-1.5.8.orig/debian/patches/00852_add_missing_converter.patch
+++ moin-1.5.8/debian/patches/00852_add_missing_converter.patch
@@ -0,0 +1,27 @@
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1193382918 -7200
+# Node ID ca98a59c590262c1a7cad51be6af1dfa40e605fe
+# Parent cb0593b6fc0599e4bb5b206d46f0ee8d12232bcf
+added missing data/plugin/converter package
+
+diff -r cb0593b6fc05 -r ca98a59c5902 docs/CHANGES
+--- a/docs/CHANGES Wed Sep 26 06:51:37 2007 +0200
++++ b/docs/CHANGES Fri Oct 26 09:15:18 2007 +0200
+@@ -40,6 +40,7 @@ Version 1.5.current:
+ * Avoid 'current' file corruption in out-of-space conditions.
+ * Fix "Toggle line numbers" link in code areas, so it gets translated
+ for the current user's language.
++ * added missing data/plugin/converter package
+
+ Version 1.5.8:
+ New features:
+diff -r cb0593b6fc05 -r ca98a59c5902 wiki/data/plugin/converter/__init__.py
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ b/wiki/data/plugin/converter/__init__.py Fri Oct 26 09:15:18 2007 +0200
+@@ -0,0 +1,5 @@
++# -*- coding: iso-8859-1 -*-
++
++from MoinMoin.util import pysupport
++
++modules = pysupport.getPackageModules(__file__)
only in patch2:
unchanged:
--- moin-1.5.8.orig/debian/patches/00853_despam_editor_grouping.patch
+++ moin-1.5.8/debian/patches/00853_despam_editor_grouping.patch
@@ -0,0 +1,131 @@
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1200688823 -3600
+# Node ID dbe95b27954adcb135e392ff1f9c883d0cfb7dc6
+# Parent ca98a59c590262c1a7cad51be6af1dfa40e605fe
+fixed Despam action: editor grouping was broken, increase time interval to 30d
+
+diff -r ca98a59c5902 -r dbe95b27954a MoinMoin/action/Despam.py
+--- a/MoinMoin/action/Despam.py Fri Oct 26 09:15:18 2007 +0200
++++ b/MoinMoin/action/Despam.py Fri Jan 18 21:40:23 2008 +0100
+@@ -8,6 +8,8 @@
+ @license: GNU GPL, see COPYING for details.
+ """
+
++DAYS = 30 # we look for spam edits in the last x days
++
+ import time
+
+ from MoinMoin.logfile import editlog
+@@ -16,6 +18,20 @@ from MoinMoin import wikiutil, Page, Pag
+ from MoinMoin import wikiutil, Page, PageEditor
+ from MoinMoin.macro import RecentChanges
+ from MoinMoin.formatter.text_html import Formatter
++
++def render(editor_tuple):
++ etype, evalue = editor_tuple
++ if etype == 'ip':
++ ret = evalue
++ elif etype == 'interwiki':
++ ewiki, euser = evalue
++ if ewiki == 'Self':
++ ret = euser
++ else:
++ ret = '%s:%s' % evalue
++ else:
++ ret = repr(editor_tuple)
++ return ret
+
+ def show_editors(request, pagename, timestamp):
+ _ = request.getText
+@@ -31,13 +47,14 @@ def show_editors(request, pagename, time
+ if not request.user.may.read(line.pagename):
+ continue
+
+- editor = line.getEditor(request)
++ editor = line.getInterwikiEditorData(request)
+ if not line.pagename in pages:
+ pages[line.pagename] = 1
+ editors[editor] = editors.get(editor, 0) + 1
+
+- editors = [(nr, editor) for editor, nr in editors.iteritems()]
++ editors = [(nr, editor) for editor, nr in editors.items()]
+ editors.sort()
++ editors.reverse()
+
+ pg = Page.Page(request, pagename)
+
+@@ -46,7 +63,7 @@ def show_editors(request, pagename, time
+ Column('pages', label=_("Pages"), align='right'),
+ Column('link', label='', align='left')]
+ for nr, editor in editors:
+- dataset.addRow((editor, unicode(nr), pg.link_to(request,
text=_("Select Author"), querystr="action=Despam&editor=%s" %
wikiutil.url_quote_plus(editor))))
++ dataset.addRow((render(editor), unicode(nr), pg.link_to(request,
text=_("Select Author"), querystr="action=Despam&editor=%s" %
wikiutil.url_quote_plus(repr(editor)))))
+
+ table = DataBrowserWidget(request)
+ table.setData(dataset)
+@@ -77,7 +94,7 @@ def show_pages(request, pagename, editor
+
+ if not line.pagename in pages:
+ pages[line.pagename] = 1
+- if line.getEditor(request) == editor:
++ if repr(line.getInterwikiEditorData(request)) == editor:
+ line.time_tuple =
request.user.getTime(wikiutil.version2timestamp(line.ed_time_usecs))
+ request.write(RecentChanges.format_page_edits(macro, [line],
timestamp))
+
+@@ -104,10 +121,10 @@ def revert_page(request, pagename, edito
+ for line in log.reverse():
+ if first:
+ first = False
+- if line.getEditor(request) != editor:
++ if repr(line.getInterwikiEditorData(request)) != editor:
+ return
+ else:
+- if line.getEditor(request) != editor:
++ if repr(line.getInterwikiEditorData(request)) != editor:
+ rev = line.rev
+ break
+
+@@ -144,17 +161,17 @@ def revert_pages(request, editor, timest
+
+ if not line.pagename in pages:
+ pages[line.pagename] = 1
+- if line.getEditor(request) == editor:
++ if repr(line.getInterwikiEditorData(request)) == editor:
+ revertpages.append(line.pagename)
+
+- request.write("Debug: Pages to revert:<br>%s" % "<br>".join(revertpages))
++ request.write("Pages to revert:<br>%s" % "<br>".join(revertpages))
+ for pagename in revertpages:
+- request.write("Debug: Begin reverting %s ...<br>" % pagename)
++ request.write("Begin reverting %s ...<br>" % pagename)
+ msg = revert_page(request, pagename, editor)
+ if msg:
+ request.write("<p>%s: %s</p>" % (
+ Page.Page(request, pagename).link_to(request), msg))
+- request.write("Debug: Finished reverting %s.<br>" % pagename)
++ request.write("Finished reverting %s.<br>" % pagename)
+
+ def execute(pagename, request):
+ _ = request.getText
+@@ -166,7 +183,7 @@ def execute(pagename, request):
+ msg = _('You are not allowed to use this action.'))
+
+ editor = request.form.get('editor', [None])[0]
+- timestamp = time.time() - 24 * 3600
++ timestamp = time.time() - DAYS * 24 * 3600
+ # request.form.get('timestamp', [None])[0]
+ ok = request.form.get('ok', [0])[0]
+
+diff -r ca98a59c5902 -r dbe95b27954a docs/CHANGES
+--- a/docs/CHANGES Fri Oct 26 09:15:18 2007 +0200
++++ b/docs/CHANGES Fri Jan 18 21:40:23 2008 +0100
+@@ -41,6 +41,8 @@ Version 1.5.current:
+ * Fix "Toggle line numbers" link in code areas, so it gets translated
+ for the current user's language.
+ * added missing data/plugin/converter package
++ * Fixed Despam action (same editor grouping was broken), now looking for
++ spam edits in the last 30 days.
+
+ Version 1.5.8:
+ New features:
only in patch2:
unchanged:
--- moin-1.5.8.orig/debian/patches/00856_attach_file_XSS.patch
+++ moin-1.5.8/debian/patches/00856_attach_file_XSS.patch
@@ -0,0 +1,78 @@
+# HG changeset patch
+# User Thomas Waldmann <tw AT waldmann-edv DOT de>
+# Date 1201046099 -3600
+# Node ID db212dfc58eff3ff7d1c9860d5fe79933217dc6e
+# Parent e69a16b6e63020ac615e74b3184d6e89597352e0
+fix XSS issues in AttachFile action
+
+diff -r e69a16b6e630 -r db212dfc58ef MoinMoin/action/AttachFile.py
+--- a/MoinMoin/action/AttachFile.py Sun Jan 20 23:27:48 2008 +0100
++++ b/MoinMoin/action/AttachFile.py Wed Jan 23 00:54:59 2008 +0100
+@@ -440,7 +440,7 @@ Otherwise, if "Rename to" is left blank,
+ 'action_name': action_name,
+ 'upload_label_file': _('File to upload'),
+ 'upload_label_rename': _('Rename to'),
+- 'rename': request.form.get('rename', [''])[0],
++ 'rename': wikiutil.escape(request.form.get('rename', [''])[0], 1),
+ 'upload_label_overwrite': _('Overwrite existing attachment of same name'),
+ 'overwrite_checked': ('', 'checked')[request.form.get('overwrite',
['0'])[0] == '1'],
+ 'upload_button': _('Upload'),
+@@ -543,6 +543,8 @@ def execute(pagename, request):
+
+
+ def upload_form(pagename, request, msg=''):
++ if msg:
++ msg = wikiutil.escape(msg)
+ _ = request.getText
+
+ request.http_headers()
+@@ -734,7 +736,7 @@ def send_moveform(pagename, request):
+ d = {'action': 'AttachFile',
+ 'do': 'attachment_move',
+ 'ticket': wikiutil.createTicket(request),
+- 'pagename': pagename,
++ 'pagename': wikiutil.escape(pagename, 1),
+ 'attachment_name': filename,
+ 'move': _('Move'),
+ 'cancel': _('Cancel'),
+@@ -821,13 +823,13 @@ def install_package(pagename, request):
+
+ if package.isPackage():
+ if package.installPackage():
+- msg=_("Attachment '%(filename)s' installed.") % {'filename':
wikiutil.escape(target)}
++ msg=_("Attachment '%(filename)s' installed.") % {'filename':
target}
+ else:
+- msg=_("Installation of '%(filename)s' failed.") % {'filename':
wikiutil.escape(target)}
++ msg=_("Installation of '%(filename)s' failed.") % {'filename':
target}
+ if package.msg != "":
+ msg += "<br><pre>" + wikiutil.escape(package.msg) + "</pre>"
+ else:
+- msg = _('The file %s is not a MoinMoin package file.' %
wikiutil.escape(target))
++ msg = _('The file %s is not a MoinMoin package file.' % target)
+
+ upload_form(pagename, request, msg=msg)
+
+@@ -911,9 +913,9 @@ def unzip_file(pagename, request):
+ "files are too big, .zip files only, exist already
or "
+ "reside in folders.") % {'filename': filename}
+ else:
+- msg = _('The file %(target)s is not a .zip file.' % target)
++ msg = _('The file %(target)s is not a .zip file.' % {'target':
filename})
+
+- upload_form(pagename, request, msg=wikiutil.escape(msg))
++ upload_form(pagename, request, msg=msg)
+
+ def send_viewfile(pagename, request):
+ _ = request.getText
+diff -r e69a16b6e630 -r db212dfc58ef docs/CHANGES
+--- a/docs/CHANGES Sun Jan 20 23:27:48 2008 +0100
++++ b/docs/CHANGES Wed Jan 23 00:54:59 2008 +0100
+@@ -43,7 +43,7 @@ Version 1.5.current:
+ * added missing data/plugin/converter package
+ * Fixed Despam action (same editor grouping was broken), now looking for
+ spam edits in the last 30 days.
+- * Fixed XSS issue in login action.
++ * Fixed XSS issues in login and AttachFile action.
+ * Security fix: only accept valid user IDs from the cookie.
+
+ Version 1.5.8:
